Sign in to https://admin.webex.com, and then click Services.

In the Hybrid Services section, find the Hybrid Data Security card, and then click Set up.

If the card is disabled or you don’t see it, contact your account team or your partner organization. Give them your account number and ask to enable your organization for Hybrid Data Security. To find the account number, click the gear at the top right, next to your organization name.

You can also download the OVA at any time from the Help section on the Settings page. On the Hybrid Data Security card, click Edit settings to open the page. Then, click Download Hybrid Data Security software in the Help section.

Older versions of the software package (OVA) will not be compatible with the latest Hybrid Data Security upgrades. This can result in issues while upgrading the application. Make sure you download the latest version of the OVA file.

Select No to indicate that you haven’t set up the node yet, and then click Next.

Optionally, click Open Deployment Guide to check if there’s a later version of this guide available.

At your machine's command line, enter the appropriate command for your environment:

In regular environments:

docker rmi ciscocitg/hds-setup:stable

In FedRAMP environments:

docker rmi ciscocitg/hds-setup-fedramp:stable

This step cleans up previous HDS setup tool images. If there are no previous images, it returns an error which you can ignore.

To sign in to the Docker image registry, enter the following:

docker login -u hdscustomersro

At the password prompt, enter this hash:

dckr_pat_aDP6V4KkrvpBwaQf6m6ROkvKUIo

Download the latest stable image for your environment:

docker pull ciscocitg/hds-setup:stable

docker pull ciscocitg/hds-setup-fedramp:stable

When the pull completes, enter the appropriate command for your environment:

• In regular environments without a proxy:

  docker run -p 8080:8080 --rm -it ciscocitg/hds-setup:stable

• In regular environments with an HTTP proxy:

  docker run -p 8080:8080 --rm -it -e GLOBAL_AGENT_HTTP_PROXY=http://SERVER_IP:PORT ciscocitg/hds-setup:stable

• In regular environments with an HTTPS proxy:

  docker run -p 8080:8080 --rm -it -e GLOBAL_AGENT_HTTPS_PROXY=http://SERVER_IP:PORT ciscocitg/hds-setup:stable

• In FedRAMP environments without a proxy:

  docker run -p 8080:8080 --rm -it ciscocitg/hds-setup-fedramp:stable

• In FedRAMP environments with an HTTP proxy:

  docker run -p 8080:8080 --rm -it -e GLOBAL_AGENT_HTTP_PROXY=http://SERVER_IP:PORT ciscocitg/hds-setup-fedramp:stable

• In FedRAMP environments with an HTTPS proxy:

  docker run -p 8080:8080 --rm -it -e GLOBAL_AGENT_HTTPS_PROXY=http://SERVER_IP:PORT ciscocitg/hds-setup-fedramp:stable

The Setup tool does not support connecting to localhost through http://localhost:8080. Use http://127.0.0.1:8080 to connect to localhost.

Use a web browser to go to the localhost, http://127.0.0.1:8080, and enter customer admin username for Control Hub at the prompt.

When prompted, enter your Control Hub customer admin sign-in credentials, and then click Log in to allow access to the required services for Hybrid Data Security.

On the Setup Tool overview page, click Get Started.

On the ISO Import page, you have these options:

• No—If you’re creating your first HDS node, you don't have an ISO file to upload.
• Yes—If you already created HDS nodes, then you select your ISO file in the browse and upload it.

Check that your X.509 certificate meets the requirements in X.509 Certificate Requirements.

• If you never uploaded a certificate before, upload the X.509 certificate, enter the password, and click Continue.
• If your certificate is OK, click Continue.
• If your certificate has expired or you want to replace it, select No for Continue using HDS certificate chain and private key from previous ISO?. Upload a new X.509 certificate, enter the password, and click Continue.

Enter the database address and account for HDS to access your key datastore:

1. Select your Database Type (PostgreSQL or Microsoft SQL Server).

   If you choose Microsoft SQL Server, you get an Authentication Type field.

2. (Microsoft SQL Server only) Select your Authentication Type:

   • Basic Authentication: You need a local SQL Server account name in the Username field.

   • Windows Authentication: You need a Windows account in the format username@DOMAIN in the Username field.

3. Enter the database server address in the form <hostname>:<port> or <IP-address>:<port>.

   Example:
   dbhost.example.org:1433 or 198.51.100.17:1433

   You can use an IP address for basic authentication, if the nodes can't use DNS to resolve the hostname.

   If you are using Windows authentication, you must enter a Fully Qualified Domain Name in the format dbhost.example.org:1433

4. Enter the Database Name.

5. Enter the Username and Password of a user with all privileges on the key storage database.

Select a TLS Database Connection Mode:

Mode	Description
Prefer TLS (default option)	HDS nodes don’t require TLS to connect to the database server. If you enable TLS on the database server, the nodes attempt an encrypted connection.
Require TLS	HDS nodes connect only if the database server can negotiate TLS.
Require TLS and verify certificate signer	This mode isn’t applicable for SQL Server databases. HDS nodes connect only if the database server can negotiate TLS. After establishing a TLS connection, the node compares the signer of the certificate from the database server to the certificate authority in the Database root certificate. If they don't match, the node drops the connection. Use the Database root certificate control below the drop-down to upload the root certificate for this option.
Require TLS and verify certificate signer and hostname	HDS nodes connect only if the database server can negotiate TLS. After establishing a TLS connection, the node compares the signer of the certificate from the database server to the certificate authority in the Database root certificate. If they don't match, the node drops the connection. The nodes also verify that the hostname in the server certificate matches the hostname in the Database host and port field. The names must match exactly, or the node drops the connection. Use the Database root certificate control below the drop-down to upload the root certificate for this option.

On the System Logs page, configure your Syslogd server:

1. Enter the syslog server URL.

   If the server isn’t DNS-resolvable from the nodes for your HDS cluster, use an IP address in the URL.

   Example:
   udp://10.92.43.23:514 indicates logging to Syslogd host 10.92.43.23 on UDP port 514.

2. If you set up your server to use TLS encryption, check Is your syslog server configured for SSL encryption?.

   If you check this check box, make sure you enter a TCP URL such as tcp://10.92.43.23:514.

3. From the Choose syslog record termination drop-down, choose the appropriate setting for your ISO file: Choose or Newline is used for Graylog and Rsyslog TCP

   • Null byte -- \x00

   • Newline -- \n—Select this choice for Graylog and Rsyslog TCP.

4. Click Continue.

(Optional) You can change the default value for some database connection parameters in Advanced Settings. Generally, this parameter is the only one that you might want to change:

app_datasource_connection_pool_maxSize: 10

Click Continue on the Reset Service Accounts Password screen.

Click Download ISO File. Save the file in a location that's easy to find.

Make a backup copy of the ISO file on your local system.

To shut down the Setup tool, type CTRL+C.

Use the VMware vSphere client on your computer to log into the ESXi virtual host.

Select File > Deploy OVF Template.

In the wizard, specify the location of the OVA file that you downloaded earlier, and then click Next.

On the Select a name and folder page, enter a Virtual machine name for the node (for example, "HDS_Node_1"), choose a location where the virtual machine node deployment can reside, and then click Next.

On the Select a compute resource page, choose the destination compute resource, and then click Next.

Verify the template details and then click Next.

If you are asked to choose the resource configuration on the Configuration page, click 4 CPU and then click Next.

On the Select storage page, click Next to accept the default disk format and VM storage policy.

On the Select networks page, choose the network option from the list of entries to provide the desired connectivity to the VM.

On the Customize template page, configure the following network settings:

• Hostname—Enter the FQDN (hostname and domain) or a single word hostname for the node.

  You do not need to set the domain to match the domain that you used to obtain the X.509 certificate. To ensure a successful registration to the cloud, use only lowercase characters in the FQDN or hostname that you set for the node. Capitalization is not supported at this time. The total length of the FQDN must not exceed 64 characters.

• IP Address— Enter the IP address for the internal interface of the node.

  Your node should have an internal IP address and DNS name. DHCP is not supported.

• Mask—Enter the subnet mask address in dot-decimal notation. For example, 255.255.255.0.
• Gateway—Enter the gateway IP address. A gateway is a network node that serves as an access point to another network.
• DNS Servers—Enter a comma-separated list of DNS servers, which handle translating domain names to numeric IP addresses. (Up to 4 DNS entries are allowed.)
• NTP Servers—Enter your organization's NTP server or another external NTP server that can be used in your organization. The default NTP servers may not work for all enterprises. You can also use a comma-separated list to enter multiple NTP servers.

• Deploy all the nodes on the same subnet or VLAN, so that all nodes in a cluster are reachable from clients in your network for administrative purposes.

If preferred, you can skip the network setting configuration and follow the steps in Set up the Hybrid Data Security VM to configure the settings from the node console.

The option to configure network settings during OVA deployment has been tested with ESXi 6.5. The option may not be available in earlier versions.

Right-click the node VM, and then choose Power > Power On.

In the VMware vSphere client, select your Hybrid Data Security node VM and select the Console tab.

Use the following default login and password to sign in and change the credentials:

1. Login: admin

2. Password: cisco

If you already configured the network settings in Install the HDS Host OVA, skip the rest of this procedure. Otherwise, in the main menu, select the Edit Configuration option.

Set up a static configuration with IP address, Mask, Gateway and DNS information. Your node should have an internal IP address and DNS name. DHCP is not supported.

(Optional) Change the hostname, domain or NTP server(s), if needed to match your network policy.

Save the network configuration and reboot the VM so that the changes take effect.

Upload the ISO file from your computer:

1. In the VMware vSphere client's left navigation pane, click on the ESXi server.

2. On the Configuration tab's Hardware list, click Storage.

3. In the Datastores list, right-click on the datastore for your VMs and click Browse Datastore.

4. Click on the Upload Files icon, and then click Upload File.

5. Browse to the location where you downloaded the ISO file on your computer and click Open.

6. Click Yes to accept the upload/download operation warning, and close the datastore dialog.

Mount the ISO file:

1. In the VMware vSphere client's left navigation pane, right-click on the VM and click Edit Settings.

2. Click OK to accept the restricted edit options warning.

3. Click CD/DVD Drive 1, select the option to mount from a datastore ISO file, and browse to the location where you uploaded the configuration ISO file.

4. Check Connected and Connect at power on.

5. Save your changes and reboot the virtual machine.

Enter the HDS node setup URL https://[HDS Node IP or FQDN]/setup in a web browser, enter the admin credentials that you set up for the node, and then click Sign In.

Go to Trust Store & Proxy, and then choose an option:

• No Proxy—The default option before you integrate a proxy. No certificate update is required.
• Transparent Non-Inspecting Proxy—Nodes are not configured to use a specific proxy server address and should not require any changes to work with a non-inspecting proxy. No certificate update is required.
• Transparent Inspecting Proxy—Nodes are not configured to use a specific proxy server address. No HTTPS configuration changes are necessary on the Hybrid Data Security deployment, however, the HDS nodes need a root certificate so that they trust the proxy. Inspecting proxies are typically used by IT to enforce policies on which websites can be visited and which types of content are not permitted. This type of proxy decrypts all your traffic (even HTTPS).
• Explicit Proxy—With explicit proxy, you tell the client (HDS nodes) which proxy server to use, and this option supports several authentication types. After you choose this option, you must enter the following information:

  1. Proxy IP/FQDN—Address that can be used to reach the proxy machine.

  2. Proxy Port—A port number that the proxy uses to listen for proxied traffic.

  3. Proxy Protocol—Choose http (views and controls all requests that are received from the client) or https (provides a channel to the server and the client receives and validates the server's certificate). Choose an option based on what your proxy server supports.

  4. Authentication Type—Choose from among the following authentication types:

     • None—No further authentication is required.

       Available for HTTP or HTTPS proxies.

     • Basic—Used for an HTTP User Agent to provide a user name and password when making a request. Uses Base64 encoding.

       Available for HTTP or HTTPS proxies.

       If you choose this option, you must also enter the user name and password.

     • Digest—Used to confirm the account before sending sensitive information. Applies a hash function on the user name and password before sending over the network.

       Available for HTTPS proxies only.

       If you choose this option, you must also enter the user name and password.

Click Upload a Root Certificate or End Entity Certificate, and then navigate to a choose the root certificate for the proxy.

Click Check Proxy Connection to test the network connectivity between the node and the proxy.

After the connection test passes, for explicit proxy set to https only, turn the toggle on to Route all port 443/444 https requests from this node through the explicit proxy. This setting requires 15 seconds to take effect.

Click Install All Certificates Into the Trust Store (appears for an HTTPS explicit proxy or a transparent inspecting proxy) or Reboot (appears for an HTTP explicit proxy), read the prompt, and then click Install if you're ready.

After the node reboots, sign in again if needed, and then open the Overview page to check the connectivity checks to make sure they are all in green status.

Sign in to https://admin.webex.com.

From the menu on the left side of the screen, select Services.

In the Hybrid Services section, find Hybrid Data Security and click Set up.

Select Yes to indicate that you have set up the node and are ready to register it, and then click Next.

In the first field, enter a name for the cluster to which you want to assign your Hybrid Data Security node.

In the second field, enter the internal IP address or fully qualified domain name (FQDN) of your node and click Next.

Click Go to Node.

Click Continue in the warning message.

Check the Allow Access to Your Hybrid Data Security Node checkbox, and then click Continue.

Click the link or close the tab to go back to the Control Hub Hybrid Data Security page.

Create a new virtual machine from the OVA, repeating the steps in Install the HDS Host OVA.

Set up the initial configuration on the new VM, repeating the steps in Set up the Hybrid Data Security VM.

On the new VM, repeat the steps in Upload and Mount the HDS Configuration ISO.

If you are setting up a proxy for your deployment, repeat the steps in Configure the HDS Node for Proxy Integration as needed for the new node.

Register the node.

1. In https://admin.webex.com, select Services from the menu on the left side of the screen.

2. In the Hybrid Services section, find the Hybrid Data Security card and click Resources.

   The Hybrid Data Security Resources page appears.

3. Click Add Resource.

4. In the first field, select the name of your existing cluster.

5. In the second field, enter the internal IP address or fully qualified domain name (FQDN) of your node and click Next.

   A message appears indicating you can register your node to the Webex cloud.

6. Click Go to Node.

   After a few moments, you are redirected to the node connectivity tests for Webex services. If all tests are successful, the Allow Access to Hybrid Data Security Node page appears. There, you confirm that you want to give permissions to your organization to access your node.

7. Check the Allow Access to Your Hybrid Data Security Node checkbox, and then click Continue.

   Your account is validated and the "Registration Complete" message indicates that your node is now registered to the Webex cloud.

8. Click the link or close the tab to go back to the Control Hub Hybrid Data Security page.